Report for xcustomerDanmark 2018-08-31

1  Introduction

This report is made as part of the Proof of Value agreement with xcustomerDanmark. The report contains an analysis of the network and produced notices in the period 2018-08-17 to 2018-08-31. Based on this analysis concrete actions are presented that would increase the security of the network and decrease the amount of notices produced.

2  Conclusion

Urgent actions should be taken as Eternal Blue backdoor was detected on some systems. EternalBlue exploits a vulnerability in Microsoft implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0143/-146, such vulnerability is used by WannaCry and Petya Randomware, a patch has been released under Microsoft Security MS-1710.

Due to the existing vulnerabilities in the NTLM protocols is recommended to audit and restrict where it’s possible, the recommendation is to move to Kerberos based authentication, and restrict NTLM usage to NTLMv2 only, in case Kerberos is not available for particular systems authentication.
It’s important to keep your DNS traffic under control by limiting the access from clients to DNS servers as the most sophisticated malicious software (RATs, BotNets), need to use their own DNS servers, in order to communicate with their command and control servers. Allowing free DNS traffic in and out the network is a perfect scenario for malware propagation.

We strongly recommend to disable all unnecessary protocols and services such as the SNMP, The Simple Network Management Protocol was designed to provide a means of managing and monitoring diverse network devices. SNMP has a client-server architecture and uses unencrypted text known as community strings for authentication. Unfortunately there are many exploits available for this protocol if left non-configured. Many office devices particularly printers are rarerly patched and have insecure and unnecessary protocols enabled by default (e.g., Telnet, HTTP, FTP), leaving these services enabled provides attackers with the ability to access the printer data directly.

Regarding TLS and SSL connections. Early TLS, formerly known as SSL no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL(all versions) and early TLS (v1.0 and v1.1).

2.1  Recommendations

Based on our analysis report, we would recommend that the following recommendations could help you to enforce your network security baseline.

Short-Term/immediately

  • Analyze Login Failures detected out of the business hours (18:00 - 8:00)
  • Patch systems affected by CVE-2017-0143/146 (MS-1710)

Medium/long-Term

  • Disable unused SNMP and HTTP services
  • Implement firewall rules for DNS protocol, such that only specified DNS servers/relays are allowed to respond to queries.
  • Migrate insecure encrypted connections to TLSv1.2 or above

3  Overview

This section provides an overview of found vulnerabilities, pressing security threats, important networks and services.

4  Inventory

To properly analyse notifications produced by MUNINN, the network itself must be understood. This section presents several components of the network as it is seen by MUNINN

4.1  Observed Assets

This section presents the machines, devices and PCs that MUNINN has observed on your network.

4.1.0.0.1  Network size based on IP Addresses
0.0.0.0/0 74410.0.0.0/8 73410.0.0.0/12 65010.0.1.0/24 310.1.0.0/20 63510.1.1.0/24 710.1.2.0/24 14410.1.3.0/24 14610.1.4.0/24 1210.1.5.0/24 610.1.9.0/24 7410.1.10.0/24 510.1.11.0/24 6510.1.13.0/24 17610.10.0.0/20 1210.10.2.0/24 1010.10.10.0/24 210.96.0.0/12 5210.100.0.0/20 5110.100.1.0/24 1110.100.2.0/24 310.100.7.0/24 3310.100.9.0/24 110.100.12.0/24 110.100.13.0/24 110.100.14.0/24 110.110.1.0/24 110.200.2.0/24 210.220.121.0/24 1310.230.102.0/24 110.240.0.0/12 1610.240.0.0/16 510.240.11.0/24 210.240.112.0/20 310.240.121.0/24 110.240.122.0/24 210.241.11.0/24 410.242.11.0/24 610.251.1.0/24 1172.16.0.0/16 3172.16.2.0/24 1172.16.50.0/24 2192.168.96.0/20 7192.168.97.0/24 1192.168.98.0/24 600.20.40.60.8100.20.40.60.81
0.0.0.0/0 74410.0.0.0/8 73410.0.0.0/12 65010.0.1.0/24 310.1.0.0/20 63510.1.1.0/24 710.1.2.0/24 14410.1.3.0/24 14610.1.4.0/24 1210.1.5.0/24 610.1.9.0/24 7410.1.10.0/24 510.1.11.0/24 6510.1.13.0/24 17610.10.0.0/20 1210.10.2.0/24 1010.10.10.0/24 210.96.0.0/12 5210.100.0.0/20 5110.100.1.0/24 1110.100.2.0/24 310.100.7.0/24 3310.100.9.0/24 110.100.12.0/24 110.100.13.0/24 110.100.14.0/24 110.110.1.0/24 110.200.2.0/24 210.220.121.0/24 1310.230.102.0/24 110.240.0.0/12 1610.240.0.0/16 510.240.11.0/24 210.240.112.0/20 310.240.121.0/24 110.240.122.0/24 210.241.11.0/24 410.242.11.0/24 610.251.1.0/24 1172.16.0.0/16 3172.16.2.0/24 1172.16.50.0/24 2192.168.96.0/20 7192.168.97.0/24 1192.168.98.0/24 6

4.2  Software

This section presents the software that Muninn has detected. This may be useful in order to ensure compliance with IT-policies in your company. When reading this, keep in mind whether employees are expected to use specific applications and note whether the section reflects this.

Most of the observed software is ubiquitous on a corporate network and therefore uninteresting in this context. The chart below shows a filtered list, with irrelevant software removed.

0100200300400500600MSIESnowSMSChromeccmhttpMicrosoft-IISASP.NETCiscoAnyConnectApple-iPad5C4TeamSoftALMccmsetupSpotifyAESMService
Top 15 most frequently observed softwareCount

4.2.1  Used Web Browsers

76.6%19%2.98%1.49%
Detected browser usageMSIEChromeFirefoxSafari

Browsers extensions and plugins are often found to contain malware in some form. It is therefore important that your company has a policy for allowed plugins and extensions for browsers used on your network.

For browsers not covered by such a policy, you may consider restricting their usage.

5  Analysis

This section presents an in-depth analysis of aspects of your network that may reveal cyber security threats.

5.1  Notifications

This section analyzes notifications created by the MUNINN sensor in the period from 2018-08-17 to 2018-08-31.

Below is shown how many of the different categories of notifications were produced on the entire network. The color of the bar denotes how severe a notification was deemed. Note that Point Anomaly notifications have a severity level tied to the anomaly score found and may therefore be either low or medium.

010002000300040005000Address scan detectedBlacklist match IPBlacklist match certificateBlacklist match domainDNS Multiple Domain Not FoundInvalid certificate detectedLarge Transfer ReceivedLarge Transfer SentPoint AnomalyPort scan detectedSMB Suspicious File RenamingSecure com expired certificate detectedSecure com password guessing attempts detectedSecure com soon to expire certificate detectedWeird Activity
Notifications received by categoryMediumLowHighCount

As expected, low-severity notifications dominate the plot and may obscure more severe problems. The following section adresses this issue.

5.1.1  High and Medium Severity Notifications

For the purposes of this report Low severity notifications are not relevant in and of themselves. They may provide context for other more severe issues, but in the rest of this analysis, only Medium and High severity notifications will be considered unless explicitly stated.

02004006008001000Address scan detectedBlacklist match certificatePoint AnomalyPort scan detectedSecure com password guessing attempts detected
Notifications received by categoryMediumHighCount
Aug 132018Aug 16Aug 19Aug 22Aug 25Aug 28020406080100120
Notifications received per day across all subnetsAddress scan detectedBlacklist match certificatePoint AnomalyPort scan detectedSecure com password guessing attempts detected
10.1.0.0/2010.10.0.0/2010.100.0.0/20192.168.96.0/20Other02004006008001000
Notifications by subnetSecure com password guessing attempts detectedPort scan detectedPoint AnomalyBlacklist match certificateAddress scan detectedSubnetCount

5.1.1.1  Hosts

Below is shown which individual hosts produces the most notifications.

051010.1.2.13910.1.3.410.1.3.13010.1.13.4310.1.13.203
Top 15 producers of notificationsSecure com password guessing attempts detectedPort scan detectedBlacklist match certificateAddress scan detected

5.1.2  Analisys of notifications

5.1.2.1  Blacklist match

The hosts identified below had connected to a malicius IP address at least two times such IP address is blacklisted by different antivirus and protection systems and might could be connected with a malware or a malicious activity Those events occurred on 2018-08-15, 2018-08-17 2018-08-15 and 2018-08-20

5.1.2.2  Secure com password guessing attempts detected

By analyzing the logs, the client 10.1.2.139 is trying to connect to the FTP server 10.100.1.35, with the application server WS_FTP-SSH_7.6.2 also known as IpSwitch FTP Is most likely caused by a misconfigured FTP client and/or server

sample of 1 entry from the SSH analyzer log

ts : 2018-08-01T01:59:46+0000
uid : Cwy3LD3ZHzzkJOxQPf
id.orig_h : 10.1.2.139
id.orig_p : 57660
id.resp_h : 10.100.1.35
id.resp_p : 22
version : 2
auth_success : F
auth_attempts : 3
direction : -
client : SSH-2.0-SecureBlackbox
server : SSH-2.0-WS_FTP-SSH_7.6.2
cipher_alg : aes256-ctr
mac_alg : hmac-sha1
kex_alg : diffie-hellman-group1-sha1
host_key_alg : ssh-dss
host_key : 75:ad:10:27:44:72:40:88:88:59:c2:75:e0:24:7e:5a

read possible solution at: https://community.ipswitch.com/s/question/0D53600001wafm8CAA/ftp-connection-error

5.1.3  Point Anomalies

This section takes a closer look at the anomalies that MUNNIN has observed in the network. This section will include low severity Point Anomalies in the analysis.

A point anomaly indicates that the traffic originating from a specific host within a set time interval was anomalous compared to the traffic pattern for the whole network.

Point anomalies has 3 distinct types based on what attribute of the traffic that was anomalous:

  • Duration, total length of the connections in time window.
  • Sent, total amount of data sent by host during time window.
  • Received, total amount of data received during time window.

It is important to note that an anomalous attribute has to be seen in the context of the other attributes of the time window. E.g a long running connection may not be anomalous if there was also a matching data transfer.

5.1.3.1  Top 15 hosts with most anomalies

As stated earlier, Point Anomalies carries most meaning when seen in aggregate. Therefore, the 15 hosts associated with most anomalies are presented in the graphs below.

Each dot corresponds to an observed anomaly. The score on the y-axis determines how anomalous the event was, and the x-axis determines the observed anomalous value was.

1min30m1hour12h1day1week1month0.80.911Mb3Mb6Mb12Mb24Mb128Mb256Mb512Mb1Gb3Gb0.80.911Mb3Mb6Mb12Mb24Mb128Mb256Mb512Mb1Gb3Gb6Gb12Gb24Gb0.80.91
10.1.1.6010.1.2.1510.1.2.2610.1.2.4710.1.2.5610.1.2.9010.1.2.10710.1.2.13010.1.2.13110.1.2.13210.1.9.14210.1.9.25410.10.2.23110.200.2.110.200.2.4Duration (seconds)Received (bytes)Sent (bytes)ScoreScoreScore
010020030040010.1.1.6010.1.2.1510.1.2.2610.1.2.4710.1.2.5610.1.2.9010.1.2.10710.1.2.13010.1.2.13110.1.2.13210.1.9.14210.1.9.25410.10.2.23110.200.2.110.200.2.4
Top 15 producers of Point Anomaly notifications('Medium', 'Sent')('Medium', 'Received')('Medium', 'Duration')('Low', 'Sent')('Low', 'Received')('Low', 'Duration')

5.2  DNS Analysis

This section analyzes which domain names are requested (looked-up) and how they are requested.

5.2.1  Top External Queries

To get an overview of used servers, the below presents which domain names are the most commonly looked up.

00.5M1M1.5Mwpad.xcustomer.localv10.vortex-win.data.microsoft.com3kontakt.dkvm-robp001.xcustomer.localcloudservice.heimdalsecurity.comnexus.officeapps.live.comwebrcs.comsrv-dcp110.xcustomer.localamazon.comsrv-mmp142.xcustomer.localgoogle.comfacebook.comnexusrules.officeapps.live.comopendns.commicrosoft.com
Top requested domainsRequests

5.2.2  DNS Responders

This represent the servers responding dns queries or forwaring those to other DNS servers It could be useful to identify illegitimate DNS servers or DHCP servers misconfiguration

2510k25100k251M2510M210.1.2.1081.19.224.6710.1.2.1110.10.2.1086.58.128.230194.239.134.83193.162.153.16410.220.121.20110.100.7.1110.220.121.102202.12.27.3310.100.7.10193.0.14.129192.58.128.3010.20.2.10
Top 15 most active DNS RespondersServed requests log101586152429718841923364362679580665195431642119378786519846114586262025842531
51002510002510k25100k251M2510.1.2.1010.1.2.1110.1.3.15210.1.13.6110.1.13.6210.1.13.2210.1.13.4210.1.13.17710.1.3.14610.1.13.14910.1.3.15810.1.13.3510.1.13.3210.1.13.12410.1.13.72
Local Hosts Querying External DNS Responders ServersServed requests log102822261328406350174165154135125123938784837470

We note that there are surprisingly many different servers responding to DNS queries, although it is clear that there exists 2 main DNS servers internal to your network.

5.2.3  Failed Lookups

This section looks at domain name queries which the DNS servers were unable to fetch. Failed lookups could be a indicator of randomly generated domain used by malware or CnC, and large count could help to fix and misconfigured application. See DNS Multiple Domain Not Found

23456789100k234567891M2wpad.xcustomer.localvm-robp001.xcustomer.localautodiscover.xcustomer.dk_autodiscover._tcp.xcustomer.dkav.pd.fdc.dkvm-robp001.webspeed.dkwpad.home_gc._tcp.srv-dcp211.xcustomer.local_gc._tcp.pdc._sites.srv-dcp211.xcustomer.localvpn1.xcustomer.dk_ldap._tcp.pdc._sites.admin.omni-fdc.dk_ldap._tcp.admin.omni-fdc.dkwpad.webspeed.dkisatap.xcustomer.localemcrem.sec.dk.xcustomer.localwpad.cip.local_ldap._tcp.srv-dcp110.xcustomer.local_ldap._tcp.pdc._sites.srv-dcp210.xcustomer.local_ldap._tcp.srv-dcp210.xcustomer.local_ldap._tcp.pdc._sites.srv-dcp110.xcustomer.local
Missed requestsMissed DNS requestsRequester

5.3  HTTP Analysis

5.3.1  404 Not Found

Respose of page not found from a http-web server. Amongst the most commong causes, application's developer error, Web browser hijacking, application's configuration errors

8910023456789100010.1.13.11410.1.13.20910.1.2.24310.1.3.1210.1.3.16410.1.3.17010.1.3.186
Missed requestssrv-dbu104/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=14.0.600.437&Name=Microsoft.Reporting.WebForms.Fonts.ReportingServicesGlyphs.eot?intranet.xcustomer.local/Templates/Public/Styles/fonts/glyphicons-halflings-regular.woffgetorganized/_layouts/images/ccm/fldrnew.giffinansdanmark.dk/Themes/FIDA/Release/finansdanmark.dk/Assets/GoBasic/Plugins/Release/custwww.netteam.dk/Support/Cisco/Telepresence/TC7/s52020tc7_3_4.pkgMissed requestsRequester88111723464610513587

5.3.2  HTTP Protocol Servers

Devices action as HTTP servers, those could be application web servers, printes, any network device with a user UI keep track of those and disable those that are not needed.

No data on this section

5.4  Authentication Services

Contains details of the authentication services being used on the network, basically those services are resposible to grant access into systems to users, machines, applications and application services.

5.4.1  Kerberos

The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials. Is the authentication protocol used by MS Active Directory On Microsoft Servers it's implemented the Kerberos v5 protocol as a security support provider. The KDC uses the domain’s Active Directory directory service database as its security account database.

5.4.1.1  Logon Codes Failures 20:00 - 08:00

COUNT FAILURE CODE
193675 KDC_ERR_S_PRINCIPAL_UNKNOWN
10802 KDC_ERR_BADOPTION
2488 KRB_AP_ERR_TKT_EXPIRED
569 KDC_ERR_CLIENT_REVOKED
75 KRB_ERR_RESPONSE_TOO_BIG
65 KRB_AP_ERR_SKEW

5.4.2  NTLM

Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems. NTLM is about 20 years old, It’s available since Windows NT4 SP4 and is still supported. But as per Microsoft recommendations, Kerberos is the preffered aithentication method, NTLM could be used for logon authentication only on stand-alone systems.

5.4.2.1  Authentication requests 20:00 - 08:00

Times Source Destination Account
26297 10.1.2.139 10.100.1.33 vc_ftpz101_transfer\SRV-MMP121
16584 10.1.2.139 10.1.2.75 svc_vc\SRV-MMP121
16464 10.1.2.139 192.168.98.144 svc_batch\SRV-MMP121
16276 10.1.2.139 192.168.97.144 svc_batch\SRV-MMP121
7884 10.1.2.139 10.1.2.75 vc_b10\SRV-MMP121
7828 10.1.2.139 10.1.2.75 vc_pbs\SRV-MMP121
3430 10.1.2.15 10.100.1.30 bfconverter\SRV-ASP102
2449 10.1.2.241 10.100.1.15 administrator\SRV-MMP146
1789 10.1.2.241 10.10.2.230 zaidnoremac\SRV-MMP146
812 10.1.2.139 10.100.1.33 -\SRV-MMP121
779 10.1.2.139 10.1.2.75 -\SRV-MMP121
631 10.1.2.139 192.168.98.11 -\SRV-MMP121
550 10.1.2.14 10.10.2.10 -\SRV-ASP107
538 10.10.2.230 10.1.2.130 SRV-MSP230$\SRV-MSP230
247 10.10.2.2 10.1.2.10 -\SRV-FSP201
238 10.1.2.246 10.100.7.117 ciscoua\SRV-SEP122
238 10.1.2.246 10.100.7.111 ciscoua\SRV-SEP122
238 10.1.2.222 10.110.1.10 ciscoua\SRV-SEP126
238 10.1.2.222 10.100.7.168 ciscoua\SRV-SEP126
238 10.1.2.222 10.100.7.115 ciscoua\SRV-SEP126
237 10.1.2.246 10.100.7.112 ciscoua\SRV-SEP122
237 10.1.2.222 10.100.7.163 ciscoua\SRV-SEP126
236 10.1.2.246 10.100.7.149 ciscoua\SRV-SEP122
235 10.1.2.246 10.100.7.106 ciscoua\SRV-SEP122
235 10.1.2.246 10.100.7.102 ciscoua\SRV-SEP122
235 10.1.2.222 10.100.7.158 ciscoua\SRV-SEP126
235 10.1.2.222 10.100.7.156 ciscoua\SRV-SEP126
235 10.1.2.222 10.100.7.112 ciscoua\SRV-SEP126
234 10.1.2.246 10.100.7.156 ciscoua\SRV-SEP122
234 10.1.2.222 10.100.7.150 ciscoua\SRV-SEP126
234 10.1.2.222 10.100.7.106 ciscoua\SRV-SEP126
234 10.1.2.222 10.100.7.102 ciscoua\SRV-SEP126
233 10.1.2.246 10.251.1.4 ciscoua\SRV-SEP122
233 10.1.2.246 10.110.1.10 ciscoua\SRV-SEP122
233 10.1.2.246 10.100.7.151 ciscoua\SRV-SEP122
233 10.1.2.222 10.100.7.151 ciscoua\SRV-SEP126
233 10.1.2.222 10.100.7.103 ciscoua\SRV-SEP126
232 10.1.2.246 10.100.7.163 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.158 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.157 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.150 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.115 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.103 ciscoua\SRV-SEP122
232 10.1.2.222 10.251.1.4 ciscoua\SRV-SEP126
232 10.1.2.222 10.100.7.157 ciscoua\SRV-SEP126
232 10.1.2.222 10.100.7.111 ciscoua\SRV-SEP126
230 10.1.2.246 10.100.7.168 ciscoua\SRV-SEP122
230 10.1.2.222 10.100.7.117 ciscoua\SRV-SEP126
228 10.1.2.222 10.100.7.149 ciscoua\SRV-SEP126
221 10.1.2.246 10.100.7.14 ciscoua\SRV-SEP122
218 10.1.2.222 10.100.7.14 ciscoua\SRV-SEP126
190 10.1.2.222 10.10.2.237 ciscoua\SRV-SEP126
190 10.1.2.220 10.10.2.11 -\SRV-MMP107
187 10.1.2.246 10.10.2.237 ciscoua\SRV-SEP122
182 10.1.2.246 10.100.7.114 ciscoua\SRV-SEP122
182 10.1.2.147 10.251.1.4 zaidnoremac\SRV-MMP141
181 10.1.2.222 10.100.7.114 ciscoua\SRV-SEP126
175 10.1.2.96 10.100.7.11 SRV-MMP117$\SRV-MMP117
166 10.1.2.95 10.100.7.11 SRV-MMP116$\SRV-MMP116
157 10.1.2.222 10.1.9.20 ciscoua\SRV-SEP126
156 10.1.2.139 10.100.1.33 zaidnoremac\SRV-MMP121
152 10.1.2.246 10.1.9.20 ciscoua\SRV-SEP122
150 10.1.2.109 10.100.7.10 SRV-MMP119$\SRV-MMP119
149 10.1.2.97 10.100.7.11 SRV-MMP118$\SRV-MMP118
134 10.1.2.139 10.1.2.75 vc_p6\SRV-MMP121
133 10.1.2.220 10.10.2.10 -\SRV-MMP107
129 10.1.2.109 10.100.7.11 SRV-MMP119$\SRV-MMP119
127 10.1.2.140 10.1.2.75 sqlcred_RISK_execute\SRV-DBP117
124 10.1.2.97 10.100.7.10 SRV-MMP118$\SRV-MMP118
123 10.1.2.246 10.100.7.162 ciscoua\SRV-SEP122
122 10.1.2.222 10.100.7.162 ciscoua\SRV-SEP126
113 10.1.2.95 10.100.7.10 SRV-MMP116$\SRV-MMP116
110 10.1.2.139 192.168.98.11 zaidnoremac\SRV-MMP121
109 10.10.2.2 10.1.2.11 -\SRV-FSP201
107 10.1.2.222 10.10.2.248 ciscoua\SRV-SEP126
107 10.1.2.222 10.100.7.105 ciscoua\SRV-SEP126
105 10.1.2.246 10.10.2.248 ciscoua\SRV-SEP122
105 10.1.2.246 10.100.7.105 ciscoua\SRV-SEP122
103 10.1.3.153 10.1.2.135 mim\PC-PC00WXSM
102 10.1.2.26 10.1.13.60 SRV-DBP115$\SRV-DBP115
100 10.1.3.168 10.1.2.135 kcc\PC-PC0GZX12
100 10.1.2.96 10.100.7.10 SRV-MMP117$\SRV-MMP117
84 10.1.13.71 10.1.2.135 xanl\PC-PF00Q5KW
80 10.1.13.28 10.1.2.135 tkh\PC-046296172753
79 10.1.3.36 10.1.2.135 kmh\PC-PC032G0C
76 10.1.2.26 10.1.13.42 SRV-DBP115$\SRV-DBP115
74 10.1.3.175 10.1.2.135 bbp\PC-PC00TWL2
72 10.1.3.197 10.1.2.135 kbp\PC-PC0LW0G5
72 10.1.3.181 10.1.2.135 hwe\PC-PC0C7KX7
72 10.1.13.60 10.1.2.135 jra\PC-PC00TXAY
72 10.1.13.151 10.1.2.135 tox\PC-PC0L3FYM
70 10.1.13.29 10.1.2.135 DZB\PC-PC0K21LL
69 10.1.13.201 10.1.2.135 mbb\PC-PC0JXL4C
67 10.1.3.178 10.1.2.135 sih\PC-PC0K21K7
66 10.1.3.188 10.1.2.135 kih\PC-PC0BCFZW
65 10.1.13.229 10.1.2.135 jar\PC-PC00TXBM
65 10.1.13.206 10.1.2.135 msp\PC-PC07V2P4
64 10.1.3.189 10.1.2.135 ubu\PC-PC037X1K
61 10.1.3.129 10.1.2.135 gga\PC-PC0LK9M6
60 10.1.13.218 10.1.2.135 hho\PC-PC0JXL4R
59 10.1.3.55 10.1.2.135 jee\PC-PC0BCDPE
59 10.1.2.246 10.100.7.101 ciscoua\SRV-SEP122
59 10.1.13.114 10.1.2.135 cal\PC-PF00SLS1
58 10.1.2.222 10.100.7.101 ciscoua\SRV-SEP126
58 10.1.2.139 10.1.2.75 vc_b58\SRV-MMP121
58 10.1.13.52 10.1.2.135 llb\PC-PC0JXL47
58 10.1.13.144 10.1.2.135 hto\PC-PC0GZX0A
57 10.1.3.154 10.1.2.135 ap\PC-PC0LK9JK
56 10.10.2.231 10.1.2.130 SRV-MSP231$\SRV-MSP231
55 10.1.3.184 10.1.2.135 mlb\PC-PC0A51EY
55 10.100.7.150 10.1.2.11 svc_octopus\PDBUI0002
54 10.1.3.63 10.1.2.135 uek\PC-PC0DX11L
54 10.1.3.145 10.1.2.135 kso\PC-CZC6338SYG
54 10.1.13.131 10.1.2.135 apm\PC-PC07RFK7
53 10.1.13.73 10.1.2.135 mkl\PC-PC0J8C3L
53 10.1.13.211 10.1.2.135 mfc\PC-PC0LK9LH
53 10.1.13.186 10.1.2.135 mk\PC-PC0DX10Q
52 10.1.3.163 10.1.2.135 jal\PC-PC0GZX0G
51 10.1.3.48 10.1.2.135 lba\PC-PC00TWKF
51 10.1.3.199 10.1.2.135 kba\PC-PC0J8C26
51 10.1.3.190 10.1.2.135 thj\PC-S4EM9289
49 10.1.2.246 10.100.7.108 ciscoua\SRV-SEP122
49 10.1.2.222 10.100.7.108 ciscoua\SRV-SEP126
49 10.1.13.202 10.1.2.135 sli\PC-PC0L3G0K
48 10.1.3.3 10.1.2.135 aos\PC-PC06PS5C
48 10.1.3.208 10.1.2.135 mkb\PC-PC0C7KXF
48 10.1.3.198 10.1.2.135 bkl@xcustomer.dk\PC-063218161853
48 10.1.13.192 10.1.2.135 lbm\PC-PC00TWKP
47 10.1.2.147 10.1.2.219 zaidnoremac\SRV-MMP141
47 10.1.13.183 10.1.2.135 hpj\PC-PC0LKKTN
46 10.1.3.198 10.1.2.135 bkl\PC-063218161853
46 10.1.3.170 10.1.2.135 slj\PC-PC0C7KXE
46 10.1.13.225 10.1.2.135 aan\PC-PC0AFHF4
46 10.1.13.184 10.1.2.135 daz\PC-PC0DX10L
45 10.1.13.48 10.1.2.135 stl\PC-PC00TWKW
45 10.1.13.193 10.1.2.135 lvh\PC-PC0LQNX5
44 10.1.3.171 10.1.2.135 urb\PC-PC0AHKZ5
43 10.1.13.45 10.1.2.135 sva\PC-PC0A51F9
42 10.1.13.30 10.1.2.135 lav\PC-R90P6Y4U
42 10.1.13.171 10.1.2.135 kpa\PC-PC0J8JJU
42 10.1.13.16 10.1.2.135 peh\PC-PC0LQNWQ
42 10.100.7.150 10.1.2.10 svc_octopus\PDBUI0002
41 10.1.13.26 10.1.2.135 lav\PC-R90P6Y4U
40 10.1.3.52 10.1.2.135 IC\PC-PC0LK9LA
40 10.1.3.35 10.1.2.135 dam\PC-PC0C7KXA
40 10.1.13.85 10.1.2.135 mwn\PC-PC0LK9JM
39 10.1.3.56 10.1.2.135 beo\PC-PC0DX11Q
39 10.1.3.14 10.1.2.135 caa\PC-PC00TXBA
39 10.1.13.209 10.1.2.135 oln\PC-PC0LK9KN
39 10.1.13.154 10.1.2.135 mrm\PC-PC069JVM
39 10.1.13.149 10.1.2.135 jpn\PC-PC0JWJ33
39 10.1.13.127 10.1.2.135 lll\PC-PC07RFKG
39 10.1.13.115 10.1.2.135 cdm@xcustomer.dk\PC-PC0LK9N1
39 10.1.10.134 10.1.2.26 jrj\PC-PC0BCFZX
37 10.1.3.29 10.1.2.135 lam\PC-PC0LK9JS
37 10.1.3.160 10.1.2.135 psk\PC-PF017YP3
36 10.1.3.37 10.1.2.135 kej\PC-PC0BCFZR
36 10.1.3.145 10.1.2.135 mme\PC-PC07V2NA
36 10.1.3.138 10.1.2.135 mrh\PC-PC0LK9M5
36 10.1.3.133 10.1.2.135 bni\PC-PC0DX11A
36 10.1.13.33 10.1.2.135 hesc\PC-PC00WXT5
36 10.1.13.180 10.1.2.135 nlv\PC-PC0C7KXW
36 10.1.13.145 10.1.2.135 xabi\PC-PF00T08F
35 10.1.3.59 10.1.2.135 mdi\PC-CZC5412D94
35 10.1.3.203 10.1.2.135 fts\PC-R90PC3CA
35 10.1.3.174 10.1.2.135 joje\PC-PC00TXB2
35 10.1.13.26 10.1.2.135 kcc\PC-PC0GZX12
35 10.1.13.24 10.1.2.135 pmf\PC-PB03BEPJ
35 10.1.13.117 10.1.2.135 dab\PC-PC037X1Q
34 10.1.3.7 10.1.2.135 jdk\PC-PC0LK9MW
34 10.1.13.179 10.1.2.135 xnal\PC-PC0LK9LM
33 10.1.3.193 10.1.2.135 hla\PC-PC0LK9HZ
33 10.1.3.180 10.1.2.135 bot\PC-PC0B28XS
33 10.1.13.163 10.1.2.135 abr@xcustomer.Local\PC-PC0CJ39B
33 10.1.13.14 10.1.2.135 sah\PC-PC0J8JJV
32 10.1.3.99 10.1.2.135 kso\PC-CZC6338SYG
32 10.1.3.204 10.1.2.135 jlc\PC-PC0B28XU
32 10.1.3.166 10.1.2.135 lil\PC-PC00TWKJ
32 10.1.3.128 10.1.2.135 mae\PC-PC0BCG0F
32 10.1.13.220 10.1.2.135 nis\PC-PF01KJM4
32 10.1.13.136 10.1.2.135 mjo\PC-PC06PS5A
32 10.1.13.123 10.1.2.135 kbh@xcustomer.dk\PC-PC0LQNXG
31 10.1.3.52 10.1.2.135 mgh\PC-PC0LK9LA
31 10.1.13.153 10.1.2.135 mvi\PC-PC0DX11T
30 10.1.3.57 10.1.2.135 ebe\PC-S4Y09415
30 10.1.13.37 10.1.2.135 ems\PC-PC0DX11W
30 10.1.13.35 10.1.2.135 dlh\PC-PC0LK9JE
30 10.1.13.181 10.1.2.135 nso@xcustomer.Local\PC-PC069JVP
30 10.1.13.176 10.1.2.135 bsam\PC-PC0J8C2G
30 10.1.13.175 10.1.2.135 ddm\PC-PC0K21KD
30 10.1.13.128 10.1.2.135 cro\PC-PC0JXL4B
28 10.1.3.73 10.1.2.135 TNI\PC-PC0K21LJ
28 10.1.3.195 10.1.2.135 rgh\PC-PC0AFHFM
28 10.1.3.173 10.1.2.135 mod\PC-PC0JXL45
28 10.1.3.161 10.1.2.135 rko\PC-PC0L3G0L
28 10.1.13.181 10.1.2.135 tbf\PC-PC0DX10U
28 10.1.13.177 10.1.2.135 low\PC-PC0JXL4G
28 10.1.13.160 10.1.2.135 tja\PC-PB03BENR
28 10.1.13.157 10.1.2.135 mrm\PC-PC069JVM
28 10.1.13.147 10.1.2.135 mhb@xcustomer.dk\PC-PC0BCFZQ

5.4.2.2  Authentication Failures 20:00 - 08:00

Times Source Destination Account
811.0 10.1.2.139 10.100.1.33 -\SRV-MMP121
631.0 10.1.2.139 192.168.98.11 -\SRV-MMP121
155.0 10.1.2.139 10.100.1.33 zaidnoremac\SRV-MMP121
108.0 10.1.2.139 192.168.98.11 zaidnoremac\SRV-MMP121
17.0 10.1.2.139 10.100.1.33 hnieadmin\SRV-MMP121
10.0 10.1.2.94 192.168.98.230 svc_sqlrep\SRV-DBP113
10.0 10.1.2.139 192.168.98.149 adm-pd-jjo\SRV-MMP121
6.0 10.1.2.139 192.168.98.11 hnieadmin\SRV-MMP121
5.0 10.1.9.167 10.1.2.11 VM10-005$\VM10-005
5.0 10.1.9.152 10.1.2.10 VM10-004$\VM10-004
5.0 10.1.3.161 10.1.2.107 -\PC-PC0L3G0L
3.0 10.1.13.169 10.1.2.107 -\PC-PC0J8JK7
3.0 10.1.13.113 10.1.2.107 -\PC-PC0LK9HM
3.0 10.1.10.87 10.1.2.107 -\PC-PC0LK9K0
3.0 10.1.10.80 10.1.2.107 -\PC-PC0LQNWQ
3.0 10.1.10.144 10.1.2.107 -\PC-PC0A51BV
3.0 10.1.10.115 10.1.2.107 -\PC-PC0LK9LQ
3.0 10.1.10.105 10.1.2.107 -\PC-PC0A51F5
2.0 10.1.3.49 10.1.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.9.137 10.1.2.11 VM10-007$\VM10-007
1.0 10.1.3.49 10.10.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.3.45 10.1.2.200 -\MINWINPC
1.0 10.1.3.37 10.1.2.107 -\PC-PC0BCFZR
1.0 10.1.3.16 10.1.2.200 -\MINWINPC
1.0 10.1.3.16 10.1.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.3.16 10.10.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.3.15 10.1.2.107 -\PC-PC0AHKZ8
1.0 10.1.3.142 10.1.2.107 -\PC-PC0AHKZ8
1.0 10.1.13.42 10.1.2.107 -\PC-PC069JVP

5.5  Network Traffic General

5.5.1  SNMP Usage

Devices SNMP, The Simple Network Management Protocol was designed to provide a means of managing and monitoring diverse network devices. By using this network operators can query a device on their network to get its status, be alerted to a change in its status, or make configuration changes. If you are not using it we highly recommended to disable SNMP on devices, is a good practice to change snmp community names and have control of write permissions.

The table below shows which hosts are members of which communities.

COMMUNITY - 10.1.2.20 Storage internal private public wcsadmin
HOST VERSION
10.0.1.9 1
10.1.1.60 2c
10.1.2.1 1
10.1.2.159 2c
10.1.2.20 2c
10.1.2.220 1
2c
10.1.2.56 3
2c
10.1.4.10 1
10.1.4.100 1
10.1.4.101 1
10.1.4.102 1
10.1.4.103 1
10.1.4.104 1
10.1.4.105 1
10.1.4.106 1
10.1.4.107 1
10.1.4.108 1
10.1.4.109 1
10.1.4.11 1
10.1.4.110 1
10.1.4.111 1
10.1.4.112 1
10.1.4.113 1
10.1.4.114 1
10.1.4.115 1
10.1.4.116 1
10.1.4.117 1
10.1.4.118 1
... ... ... ... ... ... ... ... ...
10.1.4.76 1
10.1.4.77 1
10.1.4.78 1
10.1.4.79 1
10.1.4.8 1
10.1.4.80 1
10.1.4.81 1
10.1.4.82 1
10.1.4.83 1
10.1.4.84 1
10.1.4.85 1
10.1.4.86 1
10.1.4.87 1
10.1.4.88 1
10.1.4.89 1
10.1.4.9 1
10.1.4.90 1
10.1.4.91 1
10.1.4.92 1
10.1.4.93 1
10.1.4.94 1
10.1.4.95 1
10.1.4.96 1
10.1.4.97 1
10.1.4.98 1
10.1.4.99 1
10.100.1.18 1
10.200.1.1 2c
172.28.184.222 1
172.28.68.20 1

267 rows × 7 columns

5.6  Transfer analysis

This section looks at how data is being transferred in your network.

5.6.1  From internal to external

Heres is presented some statistics for data being transferred from your internal network to a public IP. Only data transfers above 1Gb is regarded.

91234567891023410.1.13.18010.1.13.2810.1.3.17010.1.13.14910.1.3.6210.1.3.19910.1.3.13810.1.3.12810.1.2.18810.1.3.6310.1.3.4010.1.3.5710.1.2.14710.1.13.12210.1.3.13910.1.3.190
Total data transferred from internal hosts69.184.56.20769.184.56.20669.184.42.20669.184.252.369.184.252.1968.232.34.20052.166.127.214205.185.216.102.19.32.89195.249.209.16117.253.107.202143.204.247.91143.204.247.118
Aug 102018Aug 11Aug 12Aug 13Aug 14Aug 15Aug 16Aug 1702468Aug 102018Aug 11Aug 12Aug 13Aug 14Aug 15Aug 16Aug 17102030
Data transfers over time10.1.13.12210.1.13.14910.1.13.18010.1.13.2810.1.2.14710.1.2.18810.1.3.12810.1.3.13810.1.3.13910.1.3.17010.1.3.19010.1.3.19910.1.3.4010.1.3.5710.1.3.6210.1.3.63IndividualAggregated

6  Vulnerabilities

6.1  Active Scan

HOST CVE-2017-0143 CVE-2017-0143.1 CVE-2017-7497 CVE-2010-2729 CVE-2017-5638 CVE-2017-5689 CVE-2017-7269 CVE-2012-0002
0 draquel-dummy.xcustomer.local (10.1.2.4) X 0 0 0 0 0 0 0
1 10.1.2.16 X 0 0 0 0 0 0 0
2 10.1.5.33 X 0 0 0 0 0 0 0
3 vm-robp005.xcustomer.Local (10.1.9.19) X 0 0 0 0 0 0 0
4 vm-robp011.xcustomer.Local (10.1.9.29) X 0 0 0 0 0 0 0
5 vm-robp002.xcustomer.Local (10.1.9.33) X 0 0 0 0 0 0 0
6 vm-robp008.xcustomer.Local (10.1.9.41) X 0 0 0 0 0 0 0
7 vm-robp010.xcustomer.Local (10.1.9.141) X 0 0 0 0 0 0 0
8 vm-robp009.xcustomer.Local (10.1.9.147) X 0 0 0 0 0 0 0
9 10.100.1.18 X 0 0 0 0 0 0 0
10 sec01.xcustomer.dk (10.100.1.36) X 0 0 0 0 0 0 0
11 srv-sepz112.xcustomer.local (10.100.1.37) X 0 0 0 0 0 0 0
12 vdiext.xcustomer.dk (10.100.1.42) X 0 0 0 0 0 0 0
13 10.1.2.9 0 0 0 0 0 0 0 X

6.2  Secure Connections TLS(SSL)

SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers have begun prohibiting SSL connections, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol.

Source Dest Version
10.100.1.11 10.1.2.35 TLSv10
10.100.13.10 10.1.2.163 TLSv10
10.100.2.16 10.1.2.35 TLSv10
10.100.7.111 10.1.2.65 TLSv10
10.100.7.112 10.1.2.65 TLSv10
10.100.7.114 10.1.2.131 TLSv10
10.100.7.114 10.1.2.65 TLSv10
10.100.7.117 10.1.2.65 TLSv10
10.100.7.149 10.1.2.65 TLSv10
10.100.7.162 10.1.2.65 TLSv10
10.100.7.163 10.1.2.65 TLSv10
10.100.7.168 10.1.2.65 TLSv10
10.10.10.10 10.1.2.10 TLSv10
10.10.10.10 10.1.2.11 TLSv10
10.10.10.11 10.1.2.238 TLSv10
10.10.2.2 10.1.2.200 TLSv10
10.10.2.231 10.1.2.200 TLSv10
10.10.2.231 10.1.2.90 TLSv10
10.10.2.231 10.1.2.91 TLSv10
10.1.11.190 10.1.2.238 SSLv3
10.1.11.65 10.1.2.238 SSLv3

7  Appendices

7.1.1  Introduction

The MUNINN network sensor produces several different types of notifications when specific patterns of network traffic is observed. This page goes into detail for every type of notification and explains:

  • What causes this type of notification, both benign and malicious.

  • What risks are posed

  • What actions can be taken to mitigate risks and reduce noise

7.1.2  Categories

7.1.2.1  SSH Password Guessing

Password guessing notices arise when at least 5 SSH trials connection failures.

7.1.2.1.1  Benign causes

A script using ssh to execute a remote task, may retry quickly and multiple times after failed login if it is not configured properly.

7.1.2.1.1.1  Mitigation

Make sure any scripts using ssh implements a backoff strategy when login is failing. i.e. retry after 1 second after 1 failed login, 5 second after 2, 10 after 3 etc.

This also prevents so-called hammering.

Secondly investigate what is causing the failed login, such as deleted users, changed sshd_config, changed passwords etc.

7.1.2.1.2  Malicious causes

An active is attacker trying to break into systems by brute forcing passwords. Attacks are very common against web sites and web servers. They are one of the most common vectors used to compromise web sites. The process is very simple and the attackers basically try multiple combinations of usernames and passwords until they find one that works.

This scenario is very serious if the attacked machine is not publicly available. If however the machine is has a public IP, one has to expect random ssh attacks and secure it accordingly.

7.1.2.1.2.1  Mitigation
7.1.2.1.2.2  Public host
  • Filter by IP who can get to your SSH.

  • Reconfigure your SSH to only use password protected SSH keys and not permit plain passwords anymore

  • Use hard to guess usernames.

  • Move your SSH off port 22, it would make hard to detect ssh services

If you are confident that the server has secure sshd configuration you can safely whitelist SSH Password guessing for this particular machine.

7.1.2.1.2.3  Internal host

Find out which host is carrying these attacks. This machine is most likely compromised and should be disconnected from your internal network. Do not plug in again until malware has been removed.

7.1.2.2  Traceroute detected

Detects a large number of ICMP Time Exceeded messages heading toward hosts that have sent low TTL packets.

Tracerouting works by sending an ICMP packet with short TTL. When TTL is reached the last router/device touched will send a response back to originator instead of forwarding the packet.
By slowly increasing TTL until the packet reaches the final destination, all hops along the way will have responded at some point allowing the originator to map out the route to the destination.+

there are also other traceroute techniques but are based on the same principles. Traceroute techniques are employed by network diagnostic tools but could be used by other purposes.

7.1.2.2.1  Benign causes

Someone may be trying to figure out how a machine is connected to the internet. For example to find out if the connection is being NAT’ed.

7.1.2.2.1.1  Mitigation

Ask person whether this activity is necessary and/or legitimate.

7.1.2.2.2  Malicious causes

Sophisticated cyber attackers need to gather as much information about their target as possible Traceroute is used in the reconnaissance phase of cyber attacks to map target networks and to discover possible attack vectors.

7.1.2.3  SQL Injection detected

SQL injection is a way of tricking a SQL server to perform a database query that the creator of a web-site did not intend.
This is done by manipulating form parameters to include complete queries, in what was supposed to be a value inserted into an existing query. By inspecting HTTP parameters and frequency of requests a notification may be created if it looks like someone is employing this technique.

7.1.2.3.1  Malicious causes

SQL injection is one type of web hacking that requires nothing but port 80 and it might just work even in an up to date patched system.

An attacker may be probing a web site to find poorly coded backends, that could be tricked to give up data that the user should not be able to access.

7.1.2.3.1.1  Mitigation
  • Audit web application code (look for unescaped input from http parameters), employ a web scanner such as http://sqlmap.org/

  • patch server

  • Remove unnecessary accounts

7.1.2.4  DNS Tunneling

Anomalous DNS queries was observed. Queries that are larger than 512bytes of packet lenght and queries with names larger than 90 characteres are considered abnormal. When those query types are detected more than 5times in a period of 2minutes a DNS Tunnel could be ongoing

All kind of different services, like web browsing, email, active directory, etc., use the Domain Name System (DNS) protocol to turn IP addresses into human readable names and vice versa. The request and responses are just domains and ip adresses, therefore these packets are usually very small in size.

7.1.2.4.0.1  Malicious causes

Someone is using DNS ports to transfer data rather than doing name lookup. This is a popular way of exfiltrating data since DNS ports are rarely blocked.

DNS tunneling is often used to get free Wi-Fi over publicly available hotspots where it’s not restricted, whereas normal data transfer is limited. DNS as a tunnel can be established while hiding data inside the DNS requests which then can be turned into real data on the destination DNS server. This can turn into a real threat when malicious software uses DNS to get data out of the company network, or even receive commands/updates from a command and control server.

7.1.2.4.0.2  Mitigation
  • Allow only your Internal DNS servers to send/receive DNS queries to the outside world. Filter DNS port 53 in firewall.

  • Enforce your clients workstations only use your internal authorized DNS servers.

  • Identify false positives some applications or discovery services could be detected as DNS tunneling.

7.1.2.5  Port Scan

A machine is sending packets to several ports on several hosts very quickly. If the machine is listening to the port, it may respond, thus revealing that a service is running using this port. Very often, the type of service running can be inferred from the port number. i.e response on port 80 indicates that the host is hosting an HTTP service.

7.1.2.5.0.1  Malicious causes

Similarly to traceroute port scanning is a Discovery tactic where the attacker may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.

7.1.2.5.0.2  Mitigation
  • Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.

  • Filter false positives generated by legitimate vulnerabilities scanning tools

7.1.2.6  DNS Multiple Domain Not Found

multiple NXDOMAIN responses was sent by a DNS server to a querying host.

The NXDOMAIN is a DNS message type, received by the DNS resolver when a request to resolve a domain, is sent to the DNS and cannot be resolved to an IP address. A device may receive a NXDOMAIN response from the DNS for several reasons:

7.1.2.6.0.1  Benign causes
  • A user entered a domain with a typo when trying to visit a website

  • An application on the client is misconfigured. i.e. a ftp server that has moved to a new domain leaving ftp clients trying to resolve the server on the old domain.

  • Some antivirus software like McAfee and Kaspersky uses DNS queries and techniques to detect malware, thus could generate false positives.

7.1.2.6.0.2  Mitigation

Check requested domain to see if they are typos or obsolete server names. If many notifications are triggered by the same host, there is a good chance that this has a misconfigured application.

7.1.2.6.0.3  Malicious causes
  • A web browser reaches out to random local domains on startup, hijacking.

  • A device is infected with a bot utilizing a domain generating algorithm (DGA) in order to participate in a botnet.

The reason you want to be monitoring DNS NXDOMAIN responses is because some forms of malware (largely bots) leverage domain generating algorithms (DGA) to try and reach the Command and Control (C&C). It is possible to see hundreds, and sometimes thousands, of requests per day being generated by the DGA utilized by the malware. Most randomly generated domains requested by an infected host will trigger an NXDOMAIN response from the DNS. If you monitor DNS NXDOMAIN requests and keep score per client, you can raise awareness of suspicious behaviors

7.1.2.6.0.4  Mitigation
  • Look into notification description and check to domains queries on it

  • Filter false positives, if mcafee domains are creating this notification, whitelist this domain

  • Test domains black listed or for having poor reputaion on https://www.virustotal.com or http://www.urlvoid.com/

7.2  NTLM Details

Times Source Destination Account
26297 10.1.2.139 10.100.1.33 vc_ftpz101_transfer\SRV-MMP121
16584 10.1.2.139 10.1.2.75 svc_vc\SRV-MMP121
16464 10.1.2.139 192.168.98.144 svc_batch\SRV-MMP121
16276 10.1.2.139 192.168.97.144 svc_batch\SRV-MMP121
7884 10.1.2.139 10.1.2.75 vc_b10\SRV-MMP121
7828 10.1.2.139 10.1.2.75 vc_pbs\SRV-MMP121
3430 10.1.2.15 10.100.1.30 bfconverter\SRV-ASP102
2449 10.1.2.241 10.100.1.15 administrator\SRV-MMP146
1789 10.1.2.241 10.10.2.230 zaidnoremac\SRV-MMP146
812 10.1.2.139 10.100.1.33 -\SRV-MMP121
779 10.1.2.139 10.1.2.75 -\SRV-MMP121
631 10.1.2.139 192.168.98.11 -\SRV-MMP121
550 10.1.2.14 10.10.2.10 -\SRV-ASP107
538 10.10.2.230 10.1.2.130 SRV-MSP230$\SRV-MSP230
247 10.10.2.2 10.1.2.10 -\SRV-FSP201
238 10.1.2.246 10.100.7.117 ciscoua\SRV-SEP122
238 10.1.2.246 10.100.7.111 ciscoua\SRV-SEP122
238 10.1.2.222 10.110.1.10 ciscoua\SRV-SEP126
238 10.1.2.222 10.100.7.168 ciscoua\SRV-SEP126
238 10.1.2.222 10.100.7.115 ciscoua\SRV-SEP126
237 10.1.2.246 10.100.7.112 ciscoua\SRV-SEP122
237 10.1.2.222 10.100.7.163 ciscoua\SRV-SEP126
236 10.1.2.246 10.100.7.149 ciscoua\SRV-SEP122
235 10.1.2.246 10.100.7.106 ciscoua\SRV-SEP122
235 10.1.2.246 10.100.7.102 ciscoua\SRV-SEP122
235 10.1.2.222 10.100.7.158 ciscoua\SRV-SEP126
235 10.1.2.222 10.100.7.156 ciscoua\SRV-SEP126
235 10.1.2.222 10.100.7.112 ciscoua\SRV-SEP126
234 10.1.2.246 10.100.7.156 ciscoua\SRV-SEP122
234 10.1.2.222 10.100.7.150 ciscoua\SRV-SEP126
234 10.1.2.222 10.100.7.106 ciscoua\SRV-SEP126
234 10.1.2.222 10.100.7.102 ciscoua\SRV-SEP126
233 10.1.2.246 10.251.1.4 ciscoua\SRV-SEP122
233 10.1.2.246 10.110.1.10 ciscoua\SRV-SEP122
233 10.1.2.246 10.100.7.151 ciscoua\SRV-SEP122
233 10.1.2.222 10.100.7.151 ciscoua\SRV-SEP126
233 10.1.2.222 10.100.7.103 ciscoua\SRV-SEP126
232 10.1.2.246 10.100.7.163 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.158 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.157 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.150 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.115 ciscoua\SRV-SEP122
232 10.1.2.246 10.100.7.103 ciscoua\SRV-SEP122
232 10.1.2.222 10.251.1.4 ciscoua\SRV-SEP126
232 10.1.2.222 10.100.7.157 ciscoua\SRV-SEP126
232 10.1.2.222 10.100.7.111 ciscoua\SRV-SEP126
230 10.1.2.246 10.100.7.168 ciscoua\SRV-SEP122
230 10.1.2.222 10.100.7.117 ciscoua\SRV-SEP126
228 10.1.2.222 10.100.7.149 ciscoua\SRV-SEP126
221 10.1.2.246 10.100.7.14 ciscoua\SRV-SEP122
218 10.1.2.222 10.100.7.14 ciscoua\SRV-SEP126
190 10.1.2.222 10.10.2.237 ciscoua\SRV-SEP126
190 10.1.2.220 10.10.2.11 -\SRV-MMP107
187 10.1.2.246 10.10.2.237 ciscoua\SRV-SEP122
182 10.1.2.246 10.100.7.114 ciscoua\SRV-SEP122
182 10.1.2.147 10.251.1.4 zaidnoremac\SRV-MMP141
181 10.1.2.222 10.100.7.114 ciscoua\SRV-SEP126
175 10.1.2.96 10.100.7.11 SRV-MMP117$\SRV-MMP117
166 10.1.2.95 10.100.7.11 SRV-MMP116$\SRV-MMP116
157 10.1.2.222 10.1.9.20 ciscoua\SRV-SEP126
156 10.1.2.139 10.100.1.33 zaidnoremac\SRV-MMP121
152 10.1.2.246 10.1.9.20 ciscoua\SRV-SEP122
150 10.1.2.109 10.100.7.10 SRV-MMP119$\SRV-MMP119
149 10.1.2.97 10.100.7.11 SRV-MMP118$\SRV-MMP118
134 10.1.2.139 10.1.2.75 vc_p6\SRV-MMP121
133 10.1.2.220 10.10.2.10 -\SRV-MMP107
129 10.1.2.109 10.100.7.11 SRV-MMP119$\SRV-MMP119
127 10.1.2.140 10.1.2.75 sqlcred_RISK_execute\SRV-DBP117
124 10.1.2.97 10.100.7.10 SRV-MMP118$\SRV-MMP118
123 10.1.2.246 10.100.7.162 ciscoua\SRV-SEP122
122 10.1.2.222 10.100.7.162 ciscoua\SRV-SEP126
113 10.1.2.95 10.100.7.10 SRV-MMP116$\SRV-MMP116
110 10.1.2.139 192.168.98.11 zaidnoremac\SRV-MMP121
109 10.10.2.2 10.1.2.11 -\SRV-FSP201
107 10.1.2.222 10.10.2.248 ciscoua\SRV-SEP126
107 10.1.2.222 10.100.7.105 ciscoua\SRV-SEP126
105 10.1.2.246 10.10.2.248 ciscoua\SRV-SEP122
105 10.1.2.246 10.100.7.105 ciscoua\SRV-SEP122
103 10.1.3.153 10.1.2.135 mim\PC-PC00WXSM
102 10.1.2.26 10.1.13.60 SRV-DBP115$\SRV-DBP115
100 10.1.3.168 10.1.2.135 kcc\PC-PC0GZX12
100 10.1.2.96 10.100.7.10 SRV-MMP117$\SRV-MMP117
84 10.1.13.71 10.1.2.135 xanl\PC-PF00Q5KW
80 10.1.13.28 10.1.2.135 tkh\PC-046296172753
79 10.1.3.36 10.1.2.135 kmh\PC-PC032G0C
76 10.1.2.26 10.1.13.42 SRV-DBP115$\SRV-DBP115
74 10.1.3.175 10.1.2.135 bbp\PC-PC00TWL2
72 10.1.3.197 10.1.2.135 kbp\PC-PC0LW0G5
72 10.1.3.181 10.1.2.135 hwe\PC-PC0C7KX7
72 10.1.13.60 10.1.2.135 jra\PC-PC00TXAY
72 10.1.13.151 10.1.2.135 tox\PC-PC0L3FYM
70 10.1.13.29 10.1.2.135 DZB\PC-PC0K21LL
69 10.1.13.201 10.1.2.135 mbb\PC-PC0JXL4C
67 10.1.3.178 10.1.2.135 sih\PC-PC0K21K7
66 10.1.3.188 10.1.2.135 kih\PC-PC0BCFZW
65 10.1.13.229 10.1.2.135 jar\PC-PC00TXBM
65 10.1.13.206 10.1.2.135 msp\PC-PC07V2P4
64 10.1.3.189 10.1.2.135 ubu\PC-PC037X1K
61 10.1.3.129 10.1.2.135 gga\PC-PC0LK9M6
60 10.1.13.218 10.1.2.135 hho\PC-PC0JXL4R
59 10.1.3.55 10.1.2.135 jee\PC-PC0BCDPE
59 10.1.2.246 10.100.7.101 ciscoua\SRV-SEP122
59 10.1.13.114 10.1.2.135 cal\PC-PF00SLS1
58 10.1.2.222 10.100.7.101 ciscoua\SRV-SEP126
58 10.1.2.139 10.1.2.75 vc_b58\SRV-MMP121
58 10.1.13.52 10.1.2.135 llb\PC-PC0JXL47
58 10.1.13.144 10.1.2.135 hto\PC-PC0GZX0A
57 10.1.3.154 10.1.2.135 ap\PC-PC0LK9JK
56 10.10.2.231 10.1.2.130 SRV-MSP231$\SRV-MSP231
55 10.1.3.184 10.1.2.135 mlb\PC-PC0A51EY
55 10.100.7.150 10.1.2.11 svc_octopus\PDBUI0002
54 10.1.3.63 10.1.2.135 uek\PC-PC0DX11L
54 10.1.3.145 10.1.2.135 kso\PC-CZC6338SYG
54 10.1.13.131 10.1.2.135 apm\PC-PC07RFK7
53 10.1.13.73 10.1.2.135 mkl\PC-PC0J8C3L
53 10.1.13.211 10.1.2.135 mfc\PC-PC0LK9LH
53 10.1.13.186 10.1.2.135 mk\PC-PC0DX10Q
52 10.1.3.163 10.1.2.135 jal\PC-PC0GZX0G
51 10.1.3.48 10.1.2.135 lba\PC-PC00TWKF
51 10.1.3.199 10.1.2.135 kba\PC-PC0J8C26
51 10.1.3.190 10.1.2.135 thj\PC-S4EM9289
49 10.1.2.246 10.100.7.108 ciscoua\SRV-SEP122
49 10.1.2.222 10.100.7.108 ciscoua\SRV-SEP126
49 10.1.13.202 10.1.2.135 sli\PC-PC0L3G0K
48 10.1.3.3 10.1.2.135 aos\PC-PC06PS5C
48 10.1.3.208 10.1.2.135 mkb\PC-PC0C7KXF
48 10.1.3.198 10.1.2.135 bkl@xcustomer.dk\PC-063218161853
48 10.1.13.192 10.1.2.135 lbm\PC-PC00TWKP
47 10.1.2.147 10.1.2.219 zaidnoremac\SRV-MMP141
47 10.1.13.183 10.1.2.135 hpj\PC-PC0LKKTN
46 10.1.3.198 10.1.2.135 bkl\PC-063218161853
46 10.1.3.170 10.1.2.135 slj\PC-PC0C7KXE
46 10.1.13.225 10.1.2.135 aan\PC-PC0AFHF4
46 10.1.13.184 10.1.2.135 daz\PC-PC0DX10L
45 10.1.13.48 10.1.2.135 stl\PC-PC00TWKW
45 10.1.13.193 10.1.2.135 lvh\PC-PC0LQNX5
44 10.1.3.171 10.1.2.135 urb\PC-PC0AHKZ5
43 10.1.13.45 10.1.2.135 sva\PC-PC0A51F9
42 10.1.13.30 10.1.2.135 lav\PC-R90P6Y4U
42 10.1.13.171 10.1.2.135 kpa\PC-PC0J8JJU
42 10.1.13.16 10.1.2.135 peh\PC-PC0LQNWQ
42 10.100.7.150 10.1.2.10 svc_octopus\PDBUI0002
41 10.1.13.26 10.1.2.135 lav\PC-R90P6Y4U
40 10.1.3.52 10.1.2.135 IC\PC-PC0LK9LA
40 10.1.3.35 10.1.2.135 dam\PC-PC0C7KXA
40 10.1.13.85 10.1.2.135 mwn\PC-PC0LK9JM
39 10.1.3.56 10.1.2.135 beo\PC-PC0DX11Q
39 10.1.3.14 10.1.2.135 caa\PC-PC00TXBA
39 10.1.13.209 10.1.2.135 oln\PC-PC0LK9KN
39 10.1.13.154 10.1.2.135 mrm\PC-PC069JVM
39 10.1.13.149 10.1.2.135 jpn\PC-PC0JWJ33
39 10.1.13.127 10.1.2.135 lll\PC-PC07RFKG
39 10.1.13.115 10.1.2.135 cdm@xcustomer.dk\PC-PC0LK9N1
39 10.1.10.134 10.1.2.26 jrj\PC-PC0BCFZX
37 10.1.3.29 10.1.2.135 lam\PC-PC0LK9JS
37 10.1.3.160 10.1.2.135 psk\PC-PF017YP3
36 10.1.3.37 10.1.2.135 kej\PC-PC0BCFZR
36 10.1.3.145 10.1.2.135 mme\PC-PC07V2NA
36 10.1.3.138 10.1.2.135 mrh\PC-PC0LK9M5
36 10.1.3.133 10.1.2.135 bni\PC-PC0DX11A
36 10.1.13.33 10.1.2.135 hesc\PC-PC00WXT5
36 10.1.13.180 10.1.2.135 nlv\PC-PC0C7KXW
36 10.1.13.145 10.1.2.135 xabi\PC-PF00T08F
35 10.1.3.59 10.1.2.135 mdi\PC-CZC5412D94
35 10.1.3.203 10.1.2.135 fts\PC-R90PC3CA
35 10.1.3.174 10.1.2.135 joje\PC-PC00TXB2
35 10.1.13.26 10.1.2.135 kcc\PC-PC0GZX12
35 10.1.13.24 10.1.2.135 pmf\PC-PB03BEPJ
35 10.1.13.117 10.1.2.135 dab\PC-PC037X1Q
34 10.1.3.7 10.1.2.135 jdk\PC-PC0LK9MW
34 10.1.13.179 10.1.2.135 xnal\PC-PC0LK9LM
33 10.1.3.193 10.1.2.135 hla\PC-PC0LK9HZ
33 10.1.3.180 10.1.2.135 bot\PC-PC0B28XS
33 10.1.13.163 10.1.2.135 abr@xcustomer.Local\PC-PC0CJ39B
33 10.1.13.14 10.1.2.135 sah\PC-PC0J8JJV
32 10.1.3.99 10.1.2.135 kso\PC-CZC6338SYG
32 10.1.3.204 10.1.2.135 jlc\PC-PC0B28XU
32 10.1.3.166 10.1.2.135 lil\PC-PC00TWKJ
32 10.1.3.128 10.1.2.135 mae\PC-PC0BCG0F
32 10.1.13.220 10.1.2.135 nis\PC-PF01KJM4
32 10.1.13.136 10.1.2.135 mjo\PC-PC06PS5A
32 10.1.13.123 10.1.2.135 kbh@xcustomer.dk\PC-PC0LQNXG
31 10.1.3.52 10.1.2.135 mgh\PC-PC0LK9LA
31 10.1.13.153 10.1.2.135 mvi\PC-PC0DX11T
30 10.1.3.57 10.1.2.135 ebe\PC-S4Y09415
30 10.1.13.37 10.1.2.135 ems\PC-PC0DX11W
30 10.1.13.35 10.1.2.135 dlh\PC-PC0LK9JE
30 10.1.13.181 10.1.2.135 nso@xcustomer.Local\PC-PC069JVP
30 10.1.13.176 10.1.2.135 bsam\PC-PC0J8C2G
30 10.1.13.175 10.1.2.135 ddm\PC-PC0K21KD
30 10.1.13.128 10.1.2.135 cro\PC-PC0JXL4B
28 10.1.3.73 10.1.2.135 TNI\PC-PC0K21LJ
28 10.1.3.195 10.1.2.135 rgh\PC-PC0AFHFM
28 10.1.3.173 10.1.2.135 mod\PC-PC0JXL45
28 10.1.3.161 10.1.2.135 rko\PC-PC0L3G0L
28 10.1.13.181 10.1.2.135 tbf\PC-PC0DX10U
28 10.1.13.177 10.1.2.135 low\PC-PC0JXL4G
28 10.1.13.160 10.1.2.135 tja\PC-PB03BENR
28 10.1.13.157 10.1.2.135 mrm\PC-PC069JVM
28 10.1.13.147 10.1.2.135 mhb@xcustomer.dk\PC-PC0BCFZQ

7.3  NTLM Failures Details

Times Source Destination Account
811.0 10.1.2.139 10.100.1.33 -\SRV-MMP121
631.0 10.1.2.139 192.168.98.11 -\SRV-MMP121
155.0 10.1.2.139 10.100.1.33 zaidnoremac\SRV-MMP121
108.0 10.1.2.139 192.168.98.11 zaidnoremac\SRV-MMP121
17.0 10.1.2.139 10.100.1.33 hnieadmin\SRV-MMP121
10.0 10.1.2.94 192.168.98.230 svc_sqlrep\SRV-DBP113
10.0 10.1.2.139 192.168.98.149 adm-pd-jjo\SRV-MMP121
6.0 10.1.2.139 192.168.98.11 hnieadmin\SRV-MMP121
5.0 10.1.9.167 10.1.2.11 VM10-005$\VM10-005
5.0 10.1.9.152 10.1.2.10 VM10-004$\VM10-004
5.0 10.1.3.161 10.1.2.107 -\PC-PC0L3G0L
3.0 10.1.13.169 10.1.2.107 -\PC-PC0J8JK7
3.0 10.1.13.113 10.1.2.107 -\PC-PC0LK9HM
3.0 10.1.10.87 10.1.2.107 -\PC-PC0LK9K0
3.0 10.1.10.80 10.1.2.107 -\PC-PC0LQNWQ
3.0 10.1.10.144 10.1.2.107 -\PC-PC0A51BV
3.0 10.1.10.115 10.1.2.107 -\PC-PC0LK9LQ
3.0 10.1.10.105 10.1.2.107 -\PC-PC0A51F5
2.0 10.1.3.49 10.1.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.9.137 10.1.2.11 VM10-007$\VM10-007
1.0 10.1.3.49 10.10.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.3.45 10.1.2.200 -\MINWINPC
1.0 10.1.3.37 10.1.2.107 -\PC-PC0BCFZR
1.0 10.1.3.16 10.1.2.200 -\MINWINPC
1.0 10.1.3.16 10.1.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.3.16 10.10.2.11 xcustomer-9P5152N\xcustomer-9P5152N
1.0 10.1.3.15 10.1.2.107 -\PC-PC0AHKZ8
1.0 10.1.3.142 10.1.2.107 -\PC-PC0AHKZ8
1.0 10.1.13.42 10.1.2.107 -\PC-PC069JVP

7.4  Kerberos Details

DateTime Type Success Originator Krb Client Service Message Code
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:02+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:03+0000 TGS F 10.1.2.28 - srv-wwp101$@xcustomer.LOCAL KDC_ERR_BADOPTION
2018-08-10T00:00:08+0000 TGS F 10.1.9.2 - jmo@xcustomer.LOCAL KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:20+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:20+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:23+0000 TGS F 10.100.7.14 - des KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:36+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:36+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:42+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:42+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:43+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:00:56+0000 TGS F 10.1.2.28 - HTTP/secretserver.xcustomer.Local KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:00+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:01+0000 TGS F 10.1.2.40 - BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:40+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:41+0000 TGS F 10.1.2.22 - T_BI_SP_search KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:47+0000 TGS F 10.1.2.139 - cifs/fileserver.xcustomer.Local KDC_ERR_S_PRINCIPAL_UNKNOWN
2018-08-10T00:01:56+0000 TGS F 10.100.7.14 - des KDC_ERR_S_PRINCIPAL_UNKNOWN

7.5  MS Shared Folders

MS Shared Folders
0 \\10.100.1.30\BFFILE
1 \\fileserver\afdelinger
2 \\fileserver\Projekter
3 \\pddbs0001.web0.xcustomer.dk\e-boks posteringer
4 \\pddbs0001.web0.xcustomer.dk\journaler
5 \\pddbs0002.web0.xcustomer.dk\k$
6 \\pddbs0002.web0.xcustomer.dk\l$
7 \\pddbs1001.webpreprod.xcustomer.dk\hurtigdiagnose
8 \\pddbs1001.webpreprod.xcustomer.dk\journaler
9 \\pddbs2001.webprod.xcustomer.dk\eboks-posteringer
10 \\pddbs2001.webprod.xcustomer.dk\hurtigdiagnose
11 \\pddbs2001.webprod.xcustomer.dk\journaler
12 \\pddbs2001.webprod.xcustomer.dk\nets
13 \\pddbs2001.webprod.xcustomer.dk\udlaendingeportal
14 \\pd-scan01\capturesv
15 \\pd-scan01.pd.fdc.dk\ClientLogs
16 \\pdweb0001.web0.xcustomer.dk\webtest-status.pen...
17 \\pdweb2011.webprod.xcustomer.dk\xml
18 \\qw\GeneratedHTML
19 \\qw\qlm
20 \\qw\QLM
21 \\sccmsrc\software
22 \\Sccmsrc\software
23 \\SRV-ASP102\BFDATA$
24 \\SRV-ASP102\BFERP
25 \\SRV-ASP102\BFINSTALL
26 \\SRV-ASP102\BFMANAGER
27 \\SRV-ASP102\BFSCAN
28 \\SRV-ASP102\READSOFTIMPORT
29 \\srv-asp113\ovk
30 \\srv-asp113\sdb
31 \\srv-asp113\SDB
32 \\srv-asp117\unilock 2.0
33 \\srv-asp117\UniLock 2.0
34 \\srv-asp117\UniLock_data
35 \\srv-asp128\DATA
36 \\srv-asp128\portman
37 \\srv-asp128\Portman
38 \\srv-asp128\PORTMAN
39 \\SRV-ASP128\portman
40 \\srv-asp133\c$
41 \\srv-asp133\Nets
42 \\srv-asp135\Office Telemetry
43 \\srv-asp136\files
44 \\srv-asp139\Backup
45 \\srv-asp139\bferp
46 \\srv-asp139\BFERP
47 \\Srv-asp139\BFERP
48 \\SRV-ASP139\BFERP
49 \\SRV-ASP139\BFOnline$
50 \\SRV-ASP139.xcustomer.Local\BFERP
51 \\SRV-ASP140\mh
52 \\srv-asp140\PortraitPDF
53 \\SRV-ASP140\PortraitPDF
54 \\srv-asq101\sdb
55 \\srv-asq101\SDB
56 \\srv-asq102\portman
57 \\srv-asq102\PORTMAN
58 \\srv-asq103\c$
59 \\srv-asq105\mh
60 \\Srv-asq105\mh
61 \\srv-asq105\PortraitPDF
62 \\Srv-asq105\PortraitPDF
63 \\srv-ast105\portman
64 \\srv-ast105\PORTMAN
65 \\srv-ast105\tradeexport
66 \\srv-ast109\portman
67 \\srv-ast109\PORTMAN
68 \\srv-ast110\portman
69 \\srv-ast110\PORTMAN
70 \\srv-ast111\portman
71 \\srv-ast111\PORTMAN
72 \\srv-ast114\files
73 \\srv-ast120\c$
74 \\srv-dbp115\c$
75 \\srv-dbp115\DWH Scripts
76 \\srv-dbp115\FilLeverancer
77 \\srv-dbp115\PDEDW UnitTests
78 \\srv-dbp116\Batch
79 \\srv-dbp116\Batch_data
80 \\srv-dbu104\Backup
81 \\srv-dbu104\Backupsps
82 \\srv-dbu104\c$
83 \\srv-dbu104\Data_Profiling
84 \\srv-dbu104\DWH Scripts
85 \\srv-dbu104\e$
86 \\srv-dbu104\FDC-Filer
87 \\srv-dbu104\FilLeverancer
88 \\srv-dbu104\g$
89 \\srv-dbu104\PDEDW UnitTests
90 \\srv-fsp111\afdelinger
91 \\SRV-FSP111\afdelinger
92 \\srv-fsp111\arkiv
93 \\srv-fsp111\c$
94 \\srv-fsp111\cel-nfs-sata-lun1
95 \\srv-fsp111\CitrixStreamingApps
96 \\srv-fsp111\diverse
97 \\srv-fsp111\f-drev
98 \\srv-fsp111\F-Drev
99 \\srv-fsp111\home
100 \\srv-fsp111\intranet
101 \\srv-fsp111\Intranet
102 \\srv-fsp111\ledelse
103 \\srv-fsp111\Ledelse
104 \\srv-fsp111\Lync
105 \\srv-fsp111\NFSImages
106 \\srv-fsp111.xcustomer.local\intranet
107 \\srv-fsp111.xcustomer.local\Projekter
108 \\srv-fsp111.xcustomer.local\software
109 \\SRV-FSP111.xcustomer.LOCAL\SOFTWARE
110 \\srv-fsp111\Program
111 \\srv-fsp111\projekter
112 \\srv-fsp111\Projekter
113 \\SRV-FSP111\Projekter
114 \\srv-fsp111\software
115 \\srv-fsp111\Software
116 \\srv-fsp111\ViewPM
117 \\srv-fsp111\x-drev
118 \\srv-fsp111\X-drev
119 \\SRV-FSP122\pdfile
120 \\srv-ftpz101\FTP_Root
121 \\srv-mmp121\f$
122 \\srv-mmp141\c$
123 \\SRV-MMP141\C$
124 \\SRV-MMP141.xcustomer.Local\SMS_PDK
125 \\srv-mmp142.xcustomer.Local\SMSPKGD$
126 \\srv-mmp144.xcustomer.Local\ADMIN$
127 \\SRV-MMP144.xcustomer.LOCAL\ADMIN$
128 \\srv-mmp144.xcustomer.Local\C$
129 \\SRV-MMP144.xcustomer.LOCAL\C$
130 \\srv-mmp144.xcustomer.Local\D$
131 \\SRV-MMP144.xcustomer.LOCAL\D$
132 \\srv-mmp144.xcustomer.Local\SMS_DP$
133 \\SRV-MMP144.xcustomer.LOCAL\SMS_DP$
134 \\SRV-MMP144.xcustomer.LOCAL\SMSPKGD$
135 \\srv-mmt108\SDB
136 \\srv-mmt111\c$
137 \\srv-msp131.xcustomer.local\pd-exmbx.xcustomer.local
138 \\srv-msp140\c$